Description of problem: Validate empty host subject from qemu exactly like when no explicit host subject is specified Version-Release number of selected component (if applicable): spice-gtk-0.13.29-3.el6.x86_64 How reproducible: always Steps to Reproduce: 0, commont to both: generate CA and server certs to that CN= field in server cert subject matches your machine hostname (e.g Subject: O=rh,CN=my-laptop.example.com) A: plain connection: 1. run qemu: qemu-kvm -spice tls-port=SPORT,x509_dir=DIR,disable-ticketing 2. connect to the qemu: remote-viewer --spice-ca-file DIR/ca-cert.pem spice://my-laptop.example.com/?tls-port=SPORT B: migration 1. run source qemu: qemu-kvm -monitor stdio -spice tls-port=SPORT1,x509_dir=DIR,disable-ticketing 2. run destination qemu: qemu-kvm -monitor stdio -spice tls-port=SPORT2,x509_dir=DIR,disable-ticketing 3. connect to the source qemu: remote-viewer --spice-ca-file DIR/ca-cert.pem spice://my-laptop.example.com/?tls-port=SPORT1 4. instruct source qemu to migrate the client without specifying host subject: __com.redhat_spice_migrate_info my-laptop.example.com 0 SPORT2 Actual results: A: r-v connects successfully because my-laptop.example.com FQDN matches CN in the certificate B: r-v won't connect to the destination qemu with error: (/usr/bin/remote-viewer:21596): Spice-Warning **: ssl_verify.c:484:openssl_verify: ssl: subject '' verification failed Expected results: A: the same B: r-v should treat empty host subject as no host subject and verify CN= from Subject field with hostname Additional info:
patch sent to ML
in spice-gtk-0.14-5.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0343.html